diff options
Diffstat (limited to 'package/kernel/ksmbd/patches/10-ksmbd-check-nt_len-to-be-at-least-CIFS_ENCPWD_SIZE-i.patch')
-rw-r--r-- | package/kernel/ksmbd/patches/10-ksmbd-check-nt_len-to-be-at-least-CIFS_ENCPWD_SIZE-i.patch | 36 |
1 files changed, 0 insertions, 36 deletions
diff --git a/package/kernel/ksmbd/patches/10-ksmbd-check-nt_len-to-be-at-least-CIFS_ENCPWD_SIZE-i.patch b/package/kernel/ksmbd/patches/10-ksmbd-check-nt_len-to-be-at-least-CIFS_ENCPWD_SIZE-i.patch deleted file mode 100644 index 198e752106..0000000000 --- a/package/kernel/ksmbd/patches/10-ksmbd-check-nt_len-to-be-at-least-CIFS_ENCPWD_SIZE-i.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 8824b7af409f51f1316e92e9887c2fd48c0b26d6 Mon Sep 17 00:00:00 2001 -From: William Liu <will@willsroot.io> -Date: Fri, 30 Dec 2022 09:13:35 +0900 -Subject: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in - ksmbd_decode_ntlmssp_auth_blob -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -"nt_len - CIFS_ENCPWD_SIZE" is passed directly from -ksmbd_decode_ntlmssp_auth_blob to ksmbd_auth_ntlmv2. Malicious requests -can set nt_len to less than CIFS_ENCPWD_SIZE, which results in a negative -number (or large unsigned value) used for a subsequent memcpy in -ksmbd_auth_ntlvm2 and can cause a panic. - -Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3") -Cc: stable@vger.kernel.org -Signed-off-by: William Liu <will@willsroot.io> -Signed-off-by: Hrvoje Mišetić <misetichrvoje@gmail.com> -Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> ---- - auth.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/auth.c -+++ b/auth.c -@@ -583,7 +583,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struc - dn_off = le32_to_cpu(authblob->DomainName.BufferOffset); - dn_len = le16_to_cpu(authblob->DomainName.Length); - -- if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len) -+ if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len || -+ nt_len < CIFS_ENCPWD_SIZE) - return -EINVAL; - - #ifdef CONFIG_SMB_INSECURE_SERVER |